Background

With the recent Gartner published new market guide with the introduce of “container security” be part of the vulnerability management, Tenable be the only one possess that by bought over FlawCheck last year and introduce Tenable.io platform in the market, the market change again.

Tenable.io also introduce web application security (WAS) as part of the platform offering. With Container security and web application security, it now cross over to leading container security and enter into what we traditional called application security market (traditionally occupied by web vulnerability scanner and static source code analyzer vendor). Rapid7 from the past bought over NTO and enter into application security as well, by rebranding it as AppSpider product. We will expect all will catch up on the container security, most likely acquired existing player who offer it.

Technology keep changing from years, where from the past on the cloud and online, software as a service (SaaS) model, with emerge of Qualys as the leading player on that field. With the latest acquired and integration of other new technology take place, the real differentiator for major player become minimal, we can expected major vendor will try to introduce unique and specialized area and be differentiate themselves over another (take over, merger and acquisition is the obvious option for enter market rapidly) .

With application security in depth alone, traditionally Tenable do not enter in the past, where dominance by web application scanner offer dynamic , static application security testing technology (DAST, SAST) or new interactive application security testing (IAST). We can expect the market will be changing again.

Traditional vulnerability management or specialized web application scanner become more generic offering, and the price point is bring down significantly as technologies matured and more me-too product introduce in the market. Available of open sources alternative, let enterprise market who willing to paid for commercial offering being the primary target for all the commercial vendor.

We also saw the trend for traditional penetration testing tool vendor attempt to enter vulnerability management market. With the Rapid7 acquired Metasploit in the past and the recent Core Security make the vulnerability management offering.

We also see the trend for company used to offer SAST now try to enter DAST in application security field. For mobile application security testing (Mobile AST) as new technology also rising demand for today mobile application driven business.

On the other end, we saw the smaller vendor who previously focus on one tool product now day also attempt to expand their offering to large audience. Big player is extend their product with niche product/ to penetrate those previously recognize as niche as well.

Future of Vulnerability Management

Predicting for near future product-market

Container Security will be one of the unique, and slowly all the major player will incorporate into their offering (whether as a option or bundled).

Unified of vulnerability management and application security in the near future (and eliminate some of the player that can not transit over the new changing market reality).

Standalone and niche focus product that easy to be use continue to be play a role in the market for those who look for solving specific purpose, both generic and specialize product /tools continue to be available for those who need them.

Shift left (move from product security to software development) trend, more and more customer look for integrated tool to streamline the vulnerability/security fixing cycle as early as at the early development process.

The future of vulnerability management suite, depend on the end user requirement. For complex enterprise requirement, will include the above unified vulnerability management suite aspect/functional module or option in the package bundled.

As you can see for the market product shift underway, if you want to make any major decision for the short term, for sure, license subscription (LS) is the way to go, since it is pointless to own “outdated product” and pay significant investment upfront that you may or may not really found it relevant to the changed market at all.

E-SPIN Group being vulnerability management, application security and penetration testing product and solution provider for over 13 years in the market. E-SPIN will continue to be active in the business domain and helping customer to make right investment that yield return of investment.